Was Microsoft Slow to Patch Video ActiveX Vulnerability?

The vulnerability in the Video ActiveX control Microsoft has warned about was reported to the company in 2008, but that doesn't mean Microsoft dragged its feet too much when it came to patching, says one of the researchers who found the vulnerability. With hackers circling, however, users may not want to wait on a patch to protect them.

"I really don't think it's an entirely too long of a
period," said Wheeler, who is now with TippingPoint DVLabs. "They've
got a lot of bugs to deal with, a lot of bugs to patch, and they try to address
the most critical and serious ones first, those being the ones ... exploited
currently. This particular bug affected a lot of different areas of code so I
think it's reasonable for them to take a while to address it."'

The Video ActiveX control is used to connect Microsoft
DirectShow filters for use in capturing, recording and playing video, and is
the main component Microsoft Windows Media Center uses to build filter graphs
for recording and playing television video.
While little has been said publicly about the exact nature
of the vulnerability, an advisory from X-Force describes CVE-2008-0015 as a
buffer overflow vulnerability, and states the first known exploitation in the wild
occurred June 11.
News that the vulnerability was being exploited hit the Web July
6 when Microsoft warned of reports of attacks. If successful, a hacker could
execute code remotely and take control of a system. So far the exploit seems to
be spreading via drive-by downloads on compromised and malicious sites.
Researchers at Trend Micro reported July 7 that about 1,000 Chinese Websites
were infected with a malicious script that leads users to successive site
redirections before leading them to a download of a .jpg file containing the
exploit.
In that case, the script downloads another piece of malware
detected by Trend Micro as WORM_KILLAV.AI,
which disables anti-virus software and drops other malware on the affected
system.
"What we've been able to determine so far is most of
the early attack data was coming from IP addresses located or geo-IP located
outside the U.S.,"
Wheeler said, adding that there is more than one variant of the exploit going
around.
Internet Explorer is particularly susceptible to the
drive-by attacks, and Microsoft is recommending that users remove support for
the ActiveX Control within Internet Explorer using all the Class Identifiers
listed in the Workaround section of the Microsoft advisory. There is
also a way for organizations to automatically deploy the workaround, available
here.
In addition to CVE-2008-0015, X-Force also identified a
memory corruption vulnerability in the ActiveX control registered as
CVE-2008-0020. Microsoft officials did not say when a patch would be made
available for the flaw. The next round of Patch Tuesday fixes for Microsoft is
scheduled for July 14.